Twitter mention spam goes for the gut

In the swirling seas of spam emails that our analysts come across every day, the anti-stomach-fat/six-pack-abs theme repeats itself quite regularly. Unless they are tricked by some fiendishly clever social engineering (see here and here), most email recipients know better than to follow links to sites promising ultimate-waistline-thin-ness. But what happens when these links are delivered by Twitter: The distribution rates might be lower but we suspect that the click-through rates are much higher. 

How Twitter mentions work: Anyone can create a tweet and “mention” another Twitter user by adding the “@” symbol and the Twitter username. As an example, consider our colleagues at StopBadware who mentioned us in their tweet about our joint report on compromised websites.

We saw this tweet on our Twitter page because we were “mentioned” – and we assume the shortened link leads to the report itself.

Using Twitter mentions to send spam: This method can also be used to send spam to any Twitter user as shown in the tweet below:

Evil (or compromised) user “Ford—-“ has created a tweet mentioning user Pulp—- and included a link “vg4fi.co.cc/q—“. Clicking on the link results in several redirects that ultimately lead to a website promoting “a more sublime waistline”.

Why this spam-sending method works:

  • The short-message nature of Twitter results in tweets that contain short links and very little else. So when Twitter users see a link with no explanation there is a good chance they will click to see where the link leads.
  • Users with smaller Twitter accounts (10s of followers as opposed to thousands) will likely be interested that they were “mentioned”, and will follow the link to see where.
  • The spammer is sending a limited number of messages per day per account – thus staying below the radar of Twitter’s automated spam detection algorithms. The screen below shows a collection of messages sent per day using the “mention” technique:

In this case the destination is a spam site – but it could just as easily be a site hosting malware. Twitter users should avoid links without even the slightest description from users that they obviously have no connection to.

Update – the links now redirect to a work-at-home scam.